In collaboration with Recorded Future, SentinelLabs has been tracking two distinct activity clusters targeting government and critical infrastructure sectors globally between 2021 and 2023. Researchers associate one activity cluster with the suspected Chinese APT group ChamelGang (also known as CamoFei), while the second cluster resembles previous intrusions involving artifacts linked to suspected Chinese and North Korean APT groups. The majority of the activities analysed involve ransomware or data encryption tooling.
This research highlights the strategic use of ransomware by cyberespionage actors for financial gain, disruption, or as a tactic for distraction or misattribution. The use of ransomware as part of cyber espionage activities may result in their misattribution as financially motivated operations. To further misguide attribution efforts, APT groups may purchase ransomware shared by multiple cybercriminal actors. Ransomware also provides cover for the true motive behind the central component of cyber espionage operations, data exfiltration, which is also carried out by ransomware actors that follow a multi-extortion model.
Cyberespionage operations disguised as ransomware activities provide an opportunity for adversarial countries to claim plausible deniability by attributing the actions to independent cybercriminal actors rather than state-sponsored entities. Furthermore, misattributing cyberespionage activities as cybercriminal operations can result in strategic repercussions, especially in the context of attacks on government or critical infrastructure organisations. Insufficient information sharing between the local law enforcement organisations that typically handle ransomware cases and intelligence agencies could result in missed intelligence opportunities, inadequate risk assessment, and diminished situational awareness.
Ransomware provides advantages to APT groups from an operational perspective as well. The data- destructive nature of this malware may not only disrupt systems but also destroy intrusion and attribution- relevant artifacts, assisting perpetrators in covering their tracks. It also makes the restoration of affected data and systems an immediate priority for defence teams, possibly allowing for further malicious activities to go unnoticed.
Key points:
- Threat actors in the cyberespionage ecosystem are engaging in an increasingly disturbing trend of using ransomware as a final stage in their operations for the purposes of financial gain, disruption, distraction, misattribution, or removal of evidence.
- This report introduces new findings about notable intrusions in the past three years, some of which were carried out by a Chinese cyberespionage actor but remain publicly unattributed.
- SentinleLabs’ findings indicate that ChamelGang, a suspected Chinese APT group, targeted the major Indian healthcare institution AIIMS and the Presidency of Brazil in 2022 using the CatB ransomware. Attribution information on these attacks has not been publicly released to date.
- ChamelGang also targeted a government organisation in East Asia and critical infrastructure sectors, including an aviation organization in the Indian subcontinent.
- In addition, a separate cluster of intrusions involving off-the-shelf tools BestCrypt and BitLocker have affected a variety of industries in North America, South America, and Europe, primarily the US manufacturing sector.
- While attribution for this secondary cluster remains unclear, overlaps exist with past intrusions that involve artifacts associated with suspected Chinese and North Korean APT clusters.
Conclusion
The use of ransomware by cyberespionage threat groups blurs the lines between cybercrime and cyberespionage, providing adversaries with advantages from both strategic and operational perspectives. The operational methods of APT clusters, such as ChamelGang, the APT41 umbrella, and the recently discovered Moonstone Sleet, highlight that ransomware intrusions are not exclusively conducted by financially motivated threat actors.
While the future development and dynamics of cyberespionage groups deploying ransomware remain to be seen, the advantages this practice provides remain appealing and necessitate continued awareness and vigilance. A notable recent example highlights the added benefits for the attackers. In April 2024, the US government sounded alarms about a Chinese threat actor conducting pre-positioning attacks against US critical infrastructure that could enable catastrophic impairment towards US preparedness in a military engagement. The same month, a Chinese organisation released a report attributing the cyberespionage actor Volt Typhoon as a ransomware group. Researchers find this claim unpersuasive and at odds with available evidence, seeing it as an active attempt by China to portray its cyber espionage operations as cybercriminal in nature. This attribution has understandably led to speculation within the threat intelligence community whether it can be interpreted as China admitting to seeing value in using ransomware activity to conceal its cyberespionage operations.
When it comes to handling intrusions involving ransomware at government or critical infrastructure organisations, SentinelLabs emphasise the importance of sustained information exchange and collaboration between law enforcement and intelligence agencies. Efficient exchange of data and knowledge between the different entities handling cybercriminal and cyberespionage incidents, a detailed examination of observed artifacts, and an analysis of the broader context surrounding incidents of this type are crucial towards identifying the true perpetrators, motives, and objectives.
SentinelLabs continues to monitor cyberespionage groups that challenge traditional categorisation practices.
